Categorie archief: RSA NetWitness

Bypassing Cisco’s Sourcefire AMP endpoint solution – Full demo & comparison with RSA NWE

This article will demonstrate one of the key differences between NG AV endpoint protection and EDR solutions such as RSA NetWitness for Endpoints. In this article, we will demonstrate how Cisco’s endpoint protection solutions Sourcefire AMP is easily bypassed by performing a buffer overflow and in-memory post exploitation activities. This test was performed on a fully patched Windows 10 machine with an active MS Defender, MS Firewall, Cisco AMP & RSA NWE agent installed.

The setup used for this test was the following:

1

Windows 10 client protection verification

2

Vulnerable application is installed and running

3

Cisco SourceFire AMP does not find any issues on the clean machine

4

AMP tracking information does not highlight any suspicious activities

5

RSA NWE does not find any suspicious activities on the clean machine

6

Attacker – KALI setting up exploit & payload module

7

8

Running remote buffer overflow exploit

9

No alerting from either Cisco AMP or MS Defender…

15

Attacker runs additional post exploitation activities such as a keylogger

11

Attacker searches and downloads password.txt & creates a screenshot

12

Attacker performs a ARP network scan

13

Attacker start an interactive SHELL and runs WHOAMI & IPCONFIG commands

14

Still no alerting from either Cisco AMP or MS Defender…

15

Cisco AMP does not detect or notifies on exploit and post exploit activities….

23

16

Now let’s look at RSA NWE

17

1819202122

What would you prefer?……. :-S

 

 

 

RSA NetWitness. Disable AD accounts and add Domains to a Proxy block list with a mouse click. Examples and code

This article is aimed to demonstrate the flexibility of the RSA Netwitness solution by showcasing some simple mouse click response activities. The first example demonstrates the disablement of Active Directory Domain User Accounts using just one mouse click. The second example use a similar approach to add domains to a proxy blacklist.  All necessary commands, settings and code are provided at the bottom of the article. I hope you will find this useful and if you have any comments or suggestions please let me know.

Example 1. Mouse Click Active Directory User Account Disablement

Brief infra overview:

  • 192.168.1.111 – NW Server & Packet Hybrid
  • 192.168.1.119 – NW ESA & Log decoder
  • 192.168.1.130 – Windows 2012 DC with domain RSA.LAB
  • 192.168.1.131 – Centos Apache, PHP & Squid Proxy installation

Screenshot overview:

1

2

3

 

4

5

Example 2. Mouse Click Proxy Blacklist Domain Activity

Brief infra overview:

  • 192.168.1.111 – NW Server & Packet Hybrid (RSA internal demo VM)
  • 192.168.1.119 – NW ESA & Log decoder (RSA internal demo VM)
  • 192.168.1.130 – Windows 2012 DC with domain RSA.LAB
  • 192.168.1.131 – Centos Apache, PHP & Squid Proxy installation

Screenshot overview:

6

7

8

9

10

If you like replicate this setup please leave a comment or send me a message and I will send you all required setup & config files.